Secure testing team - Apr 2006 - Horde3 Vulnerability: CVE-2006-1491 remote arbitrary command execution

tags  361967 +etch sarge security
thanks

On Tue, Apr 11, 2006 at 10:46:07AM -0300, Pedro M?ller wrote:
>       See this:
>         http://www.securityfocus.com/bid/17292/info
>         Please, fix this or update to 3.0.10.
An update has been submitted to the security team; I suppose they are
going to release a security advisory and put the said update on the
archive on security.debian.org anytime now.

If you wish to use the update we prepared before it is approved by the
security team, you can take it from
http://people.debian.org/~lmamane/horde/ . (That update is for Debian
stable 3.1 sarge. Debian unstable sid is already fixed. Debian testing
etch (the "beta version" of Debian 3.2) is going to get the update
automatically in a few days. If you are running Debian testing etch,
you can install the horde3 / imp4 / turba2 / ... packages from
unstable sid.

The "secure testing" team might want to consider pushing turba2 2.1-1
to etch prematurely, as it is blocking horde3 3.1.1-1 (the version
that fixes this) to migrate to testing.

> This is critical!
Yes, it is.

-- 
Lionel

Lionel Elie Mamane wrote:
> tags  361967 +etch sarge security
> thanks
> 
> On Tue, Apr 11, 2006 at 10:46:07AM -0300, Pedro M?ller wrote:
> 
> >       See this:
> >         http://www.securityfocus.com/bid/17292/info
> 
> >         Please, fix this or update to 3.0.10.
> 
> An update has been submitted to the security team; I suppose they are
> going to release a security advisory and put the said update on the
> archive on security.debian.org anytime now.
Umm, sorry, I was under the impression, that the update was still being
prepared. I''ll check and upload tonight (European time).

Cheers,
        Moritz